From c06d465f577818b438c1a475a0b5e1dbcbe5408a Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sun, 18 Jul 2021 23:15:14 -0400
Subject: [PATCH 1/2] PermitScrubber does not permit Processing Instructions

Fixes #115
---
 CHANGELOG.md                | 12 ++++++++++++
 lib/rails/html/scrubbers.rb |  2 +-
 test/sanitizer_test.rb      |  8 ++++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9af8242..7fa6422 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+## next / unreleased
+
+* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
+
+  Previously, a PI with a name (or "target") matching an allowed tag name was not scrubbed. There
+  are no known security issues associated with these PIs, but similar to comments it's preferred to
+  omit these nodes when possible from sanitized output.
+
+  Fixes #115.
+
+  *Mike Dalessio*
+
 ## 1.3.0
 
 * Address deprecations in Loofah 2.3.0.
diff --git a/lib/rails/html/scrubbers.rb b/lib/rails/html/scrubbers.rb
index c44d0ee..ad27971 100644
--- a/lib/rails/html/scrubbers.rb
+++ b/lib/rails/html/scrubbers.rb
@@ -68,7 +68,7 @@ def scrub(node)
         end
         return CONTINUE if skip_node?(node)
 
-        unless keep_node?(node)
+        unless node.element? && keep_node?(node)
           return STOP if scrub_node(node) == STOP
         end
 
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index f3624e7..7938433 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -521,6 +521,14 @@ def test_uri_escaping_of_name_action_in_a_tag_in_safe_list_sanitizer
     assert_equal %{<a action=\"examp&lt;!--%22%20unsafeattr=foo()&gt;--&gt;le.com\">test</a>}, text
   end
 
+  def test_exclude_node_type_processing_instructions
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><?div content><b>text</b>"))
+  end
+
+  def test_exclude_node_type_comment
+    assert_equal("<div>text</div><b>text</b>", safe_list_sanitize("<div>text</div><!-- comment --><b>text</b>"))
+  end
+
 protected
 
   def xpath_sanitize(input, options = {})

From 2a7d3f208601fa069f804c54744b8f33df901773 Mon Sep 17 00:00:00 2001
From: Mike Dalessio <mike.dalessio@gmail.com>
Date: Sun, 18 Jul 2021 23:19:14 -0400
Subject: [PATCH 2/2] CI: add modern rubies to the matrix

---
 .travis.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.travis.yml b/.travis.yml
index 3e0b723..9b992ac 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,6 +7,8 @@ rvm:
   - 2.4
   - 2.5
   - 2.6
+  - 2.7
+  - 3.0
   - ruby-head
   - jruby
 matrix: